CVE-2026-45089— Dalfox: Unauthenticated Arbitrary File Create/Append via `output` Option in Dalfox Server Mode
Possible ATT&CK Techniques 1AI
T1222 · File and Directory Permissions ModificationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45089
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Dalfox: Unauthenticated Arbitrary File Create/Append via `output` Option in Dalfox Server Mode
Source: NVD (National Vulnerability Database)
Vulnerability Description
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the output, output-all, and debug fields in model.Options are JSON-tagged and deserialized directly from the attacker's request body, then propagated unchanged through dalfox.Initialize into the scan engine's logging path. The logger opens the attacker-supplied path with os.O_APPEND|os.O_CREATE|os.O_WRONLY and writes scan log lines to it. Critically, this file write block lives outside the IsLibrary guard in DalLog, so it executes even in server/library mode where file output was never intended to operate. Because no API key is required in the default configuration, an unauthenticated network caller can create or append to any file writable by the dalfox process on the host filesystem. This vulnerability is fixed in 2.13.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
文件名或路径的外部可控制
Source: NVD (National Vulnerability Database)
Vulnerability Title
dalfox 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
dalfox是HAHWUL个人开发者的一款自动化跨站脚本扫描工具。 Dalfox 2.13.0之前版本存在代码问题漏洞,该漏洞源于REST API服务器模式中output、output-all和debug字段直接从攻击者请求体反序列化并传播到扫描引擎的日志路径,可能导致未认证的网络调用者创建或追加写入任意文件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-45089
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 11162 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-45089
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-45089 (1)
- 🔗 Release v2.13.0 · hahwul/dalfox · GitHubx_refsource_MISC
Vendor Advisories for CVE-2026-45089 (1)
Same Patch Batch · hahwul · 2026-05-27 · 4 CVEs total
| CVE-2026-45087 | 10.0 CRITICAL | Dalfox: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode |
| CVE-2026-45090 | 7.5 HIGH | Dalfox: Unauthenticated Remote DoS via Closed-Channel Write in `ParameterAnalysis` (server |
| CVE-2026-45088 | 7.5 HIGH | Dalfox: Unauthenticated Arbitrary File Read with Out-of-Band Exfiltration via `custom-payl |
IV. Related Vulnerabilities
Same weakness: CWE-73
- CVE-2025-52465
GeoServer has an arbitrary file write vulnerability in its M - CVE-2026-2604
Evolution-data-server: evolution data server: arbitrary file - CVE-2026-10303
ServerCo getssl ACME shell script path injection - CVE-2026-34030
Improper branch-code validation in Wertheim SafeController S - CVE-2026-47643
Azure Stack Edge Remote Code Execution Vulnerability
V. Comments for CVE-2026-45089
No comments yet